Monday, January 12, 2015
When I'm being honest, I must agree with this. Still, I'd hope senior management's bonuses are reduced by the cost of any “settlement.”
Stewart Baker writes:
…So, how much incentive for better security comes from the threat of data breach liability? Some, but not much. As I’ve been saying for a while, the actual damages from data breaches are pretty modest in dollar terms, and the pattern of losses makes it very hard to sustain a single class, something that forces up the cost of litigation for the plaintiffs.
You can see this pattern in recent data breach settlements.
Read more on WaPo The Volokh Conspiracy.
For my Ethical Hackers. Make sure your lawyer has a copy. (No mention of North Korea)
Tallinn Manual on the International Law Applicable to Cyber Warfare
NATO Cooperative Cyber Defence Centre of Excellence: “The Tallinn Manual on the International Law Applicable to Cyber Warfare, written at the invitation of the Centre by an independent ‘International Group of Experts’, is the result of a three-year effort to examine how extant international legal norms apply to this ‘new’ form of warfare. The Tallinn Manual pays particular attention to the jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict (also labelled the law of war, the law of armed conflict, or international humanitarian law). Related bodies of international law, such as the law of State responsibility, are dealt with in the context of these topics. The Tallinn Manual is not an official document, but instead an expression of the scholarly opinions of a group of independent experts acting solely in their personal capacity. It is not meant to represent the views of the Centre, our Sponsoring Nations, or NATO; NATO doctrine; or the official position of any organization or State that provided observers to the project. The Tallinn Manual is available in both paper and electronic copies from Cambridge University Press (© Cambridge University Press 2013). We have also made the book available for reading and research.”
Ethical Hackers: Is this what your lawyers are telling you?
E-mail warrant for all evidence of CFAA crimes violates Fourth Amendment, court holds
By Orin Kerr January 9
In a recent case, United States v. Shah, 2015 WL 72118 (E.D.N.C. Jan. 6, 2015), a district court ruled that a search warrant for an e-mail account for all evidence of violations of the federal computer hacking statute failed to comply with the Fourth Amendment because it did not particularly describe the evidence to be seized.
… According to the district court, however, the warrant was not specific enough. From the opinion:
The provision [of the warrant] describing the documents “seized” makes a general reference to “[a]ll information described above in Section I that constitutes fruits, evidence, and instrumentalities of Title 18, United States Code, Sections 1030 (Fraud and Related Activity in Connection with Computers).” (Google Warrant, 6).
… A violation of the CFAA would not necessarily generate such “distinctive evidence” as bank robbery or narcotics. Dickerson, 166 F.3d at 694. Nor would evidence necessarily be as distinctive as that of child pornography, a type of crime more commonly targeted by warrants for electronic information.
… Rather, a warrant authorizing collection of evidence of a CFAA violation comes closer to warrants seeking to collect evidence regarding violations of broad federal statutes prohibiting fraud or conspiracy. In these cases, limitation by reference to the broad statute fails to impose any real limitation.
A Big Data downside? Law steps in where common sense fails.
If you are not covered by specific laws you get no training. If you get no training you see no reason not to do whatever you want with your data. If you do whatever you want with your data, eventually you will be covered by specific laws.
If at first you don’t succeed, persist. And blog.
Jon Baines writes:
Imagine, if you will, a public authority which decides to publish as Open Data a spreadsheet of 6000 individual records of adults receiving social services support. Each row tells us an individual service user’s client group (e.g. “dementia” or “learning disability”), age range (18-64, 65-84, 84 and over), the council ward they live in, the service they’re receiving (e.g. “day care” or “direct payment” or “home care”), their gender and their ethnicity. If, by burrowing into that data, one could identify that reveals that one, and only one, Bangladeshi man in the Blankety ward aged 18-64 with a learning disability is in receipt of direct payments, most data protection professionals (and many other people besides) would recognise that this is an identifiable individual, if not to you or me, then almost certainly to some of his neighbours or family or acquaintances.
If these individuals are identifiable (and, trust me, these are only two examples from hundreds, in many, many spreadsheets), then this is their sensitive personal data which is being processed by the public authority in question (which I am not identifying, for obvious reasons). For the processing to be fair and lawful it needs a legal basis, by the meeting of at least one of the conditions in Schedule Two and one in Schedule Three of the Data Protection Act 1998 (DPA).
And try as I might, I cannot find one which legitimises this processing, not even in the 2000 Order which significantly added to the Schedule 3 conditions. And this was why, when the datasets in question were drawn to my attention, I flagged my concerns up with the public authority
Read more on Information Rights and Wrongs.
It’s somewhat disturbing that Jon not only had to raise the issue, but the lack of timely and effective responses he got is also concerning. Although DataBreaches.net is a U.S. site, the exposure of personal information anywhere is of concern, and we urge the Information Commissioner’s Office to either get those data sets removed already or explain why such disclosure is lawful under U.K. law. [That takes training. Bob]
For my Data Management and Business Intelligence students.
Seldon Predictive API makes Life Easier for Data Scientists
Seldon will soon release an open-source predictive API aiming to ease the demand on data scientists. The API makes it easy to apply multiple algorithms which can recommend content tailored to customers and offer app personalisation, as well as many other powerful features.
… "We help the world’s leading media and e-commerce companies leverage cutting edge big data technologies, machine learning algorithms, and social data, to provide the most intelligent solution for personalisation, recommendation and targeting," Seldon’s website says.
More businesses are embracing the role of in-house data scientists as they seek to differentiate themselves and provide a better end-user experience through personalisation.
… They are currently taking requests for their private beta, planning a staged rollout in early 2015.
Convergence? TV via Internet rather than Cable or Satellite, so why not give your TV a dedicated PC?
Intel Compute Stick Turns Any TV Into A Windows PC For Just $149
… All it takes is a little stick, much like the much-loved Google Chromecast. Meet the all-new Intel Compute Stick.
The Compute Stick is essentially a complete PC, but in the compact form factor of a slightly large pen drive. It connects to a TV via HDMI, but also has to be powered with a microUSB cord.
… It will also be available with Linux, but that version will come with 8GB of storage and 1GB RAM. That model will retail for $89, Intel said.
For my Students.
7 Insightful Infographics For Any Windows User
(Related) Not as useful, but still interesting.
9 maps that explained the Internet in 2014
Washington Post: “This was a big year for the Internet, from the U.S. debate over net neutrality to proposals to shift control of the worldwide Web to the global community. Here are maps that can help you understand how the Internet worked and how people used it in 2014.”